Date: Sat, 06 Jan 2001 16:59:45 -0600 From: Charlie Root <blaz@satx.rr.com> To: freebsd-questions@freebsd.org Subject: problems with nat/firewall Message-ID: <3A57A360.5B869480@satx.rr.com>
next in thread | raw e-mail | index | archive | help
greetings,
I added the following to my kernel and rebuilt:
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPDIVERT
then I added to /etc/rc.conf:
gateway_enable="YES"
firewall_enable="YES"
natd_enable="YES"
natd_interface="xl0" # my NIC connected to cable modem
natd_flags="-dynamic"
firewall_script="/etc/rc.firewall.new"
then to my rc.firewall.new script is where I am getting
confused.. not with the rules, but the variables I need
to supply:
#Define your variables
#
fwcmd="/sbin/ipfw" #leave as is if using ipfw
oif="oifx" #set to outside interface name
onwr="a.b.c.d/24" #set to outside network range
oip="a.b.c.d" #set to outside ip address
iif="ifx" #set to internal interface name
inwr="x.y.z.x/24" #set to internal network range
iip="x.y.z.x" #set to internal ip address
ns1="e.f.g.h" #set to primary name server best if = oif
#ntp="i.j.k.l" #set to ip of NTP server or leave as is
below is what I supplied, and when I type to ping
to local network I get TCP/IP denied.. its blocking the packets
and I don't think its the rules, but the interface information.
I will supply the rules at the end, in case it is -- I am going
by an article I read on bsdtoday.com.. anyway here is what
I supplied:
fwcmd="/sbin/ipfw" #leave as is if using ipfw
oif="xl0" #set to outside interface name
onwr="255.255.255.0" #set to outside network range
I am not sure about this..
oip="my ip" #set to outside ip address
I use DHCP, but supplied current IP
this has to be wrong
iif="xl1" #set to internal interface name
inwr="192.168.2/24" #set to internal network range
iip="192.168.2.1" #set to internal ip address
ns1="my name server" #set to primary name server best if = oif
ntp="clock.isc.org" #set to ip of NTP server or leave as is
I know I must have this screwerd up :) but here my rules in
case its not:
# Rules with descriptions
#
#
# Force a flush of the current firewall rules before we reload
$fwcmd -f flush
#
# Allow your loop back to work
$fwcmd add allow all from any to any via lo0
#
# Prevent spoofing of your loopback
$fwcmd add deny log all from any to 127.0.0.0/8
#
# Stop spoofing of your internal network range
$fwcmd add deny log ip from $inwr to any in via $oif
#
# Stop spoofing from inside your private ip range
$fwcmd add deny log ip from not $inwr to any in via $iif
#
# Stop private networks (RFC1918) from entering the outside
interface.
$fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif
$fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif
$fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif
$fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif
$fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif
$fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif
#
# Stop draft-manning-dsua-01.txt nets on the outside interface
$fwcmd add deny all from 0.0.0.0/8 to any in via $oif
$fwcmd add deny all from 169.254.0.0/16 to any in via $oif
$fwcmd add deny all from 192.0.2.0/24 to any in via $oif
$fwcmd add deny all from 224.0.0.0/4 to any in via $oif
$fwcmd add deny all from 240.0.0.0/4 to any in via $oif
$fwcmd add deny all from any to 0.0.0.0/8 in via $oif
$fwcmd add deny all from any to 169.254.0.0/16 in via $oif
$fwcmd add deny all from any to 192.0.2.0/24 in via $oif
$fwcmd add deny all from any to 224.0.0.0/4 in via $oif
$fwcmd add deny all from any to 240.0.0.0/4 in via $oif
#
# Divert all packets through natd
$fwcmd add divert natd all from any to any via $oif
#
# Allow all established connections to persist (setup required
# for new connections).
$fwcmd add allow tcp from any to any established
#
# Allow incomming requests to reach the following services:
# To allow multiple services you may list them separated
# by a coma, for example ...to $oip 22,25,110,80 setup
$fwcmd add allow tcp from any to $oip 22 setup
#
# NOTE: you may have to change your client to passive or active
mode
# to get ftp to work once enabled, only ssh enabled by
default.
# 21:ftp
# 22:ssh enabled by default
# 23:telnet
# 25:smtp
# 110:pop
# 143:imap
# 80:http
# 443:ssl
#
# Allow icmp packets for diagnostic purposes (ping traceroute)
# you may wish to leave commented out.
# $fwcmd add allow icmp from any to any
#
# Allow required ICMP
$fwcmd add allow icmp from any to any icmptypes 3,4,11,12
#
# Allow DNS traffic from internet to query your DNS (for reverse
# lookups etc).
$fwcmd add allow udp from any 53 to $ns1 53
#
# Allow time update traffic
# $fwcmd add allow udp from $ntp 123 to $oip 123
#
# Checks packets against dynamic rule set below.
$fwcmd add check-state
#
# Allow any traffic from firewall ip to any going out the
# external interface
$fwcmd add allow ip from $oip to any keep-state out via $oif
#
# Allow any traffic from local network to any passing through the
# internal interface
$fwcmd add allow ip from $inwr to any keep-state via $iif
#
# Deny everything else
$fwcmd add 65435 deny log ip from any to any
#
#####################################################
#
# End firewall script.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A57A360.5B869480>